Auditing Users Password Strength in AD

The complexity of a user password in Active Directory domain is one of the key security elements both for user data, and the entire domain. As a rule, users prefer to use weak, easy-to-remember passwords. Thus, they significantly reduce the level of protection against hackers for their accounts. In this article, we’ll show how to audit users password strenght in Active Directory using PowerShell.

To test user password resistance to the attacks, we’ll use a third-party PowerShell module — DSInternals. This module contains a number of cmdlets that allow to perform different operations with AD database in online or offline mode (directly with ntds.dit). In particular, we are interested in Test-PasswordQuality cmdlet that allows to detect users having weak, similar, standard or blank passwords.

Note. Naturally, user passwords cannot be obtained from the AD database as plain text, but when comparing the password hashes of AD users to the hashes of words from the dictionary you can detect (or compare) user passwords.

How to Install DSInternals Module

In PowerShell 5 you can install DSInternals online from the official PowerShell script gallery as follows:

Install-Module DSInternals

In earlier PowerShell versions or in isolated systems, you have to download the .zip archive with the latest module version from GitHub (https://github.com/MichaelGrafnetter/DSInternals/releases). By the time this article had been written, the latest release was DSInternals v2.16.1. Unzip this archive into one of the directories containing PowerShell modules:

C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals

C:\Users\%username%\Documents\WindowsPowerShell\Modules\DSInternals

Or import the module using this command:

Import-Module C:\distr\PS\DSInternals\DSInternals.psd1

The list of available cmdlets can be obtained as follows:

Get-Command -Module DSInternals

Password Dictionary

Then we’ll need a file containing the dictionary of often used or “bad” passwords. You can download it from the Internet or create yourself. User accounts in Active directory will be checked against the passwords from this dictionary. Let’s save the passwords in the text file PasswordDict.txt.

Audit of AD Passwords Using Test-PasswordQuality

In the following variables, specify the path to the file with passwords, the domain name and the domain controller name.

Then get NT hashes for all passwords from the dictionary file to compare them to the password hashes of AD users:

$Dict = Get-Content $DictFile | ConvertTo-NTHashDictionary

Then using Get-ADReplAccount cmdlet, get the list of AD objects, the data of their NT and LM hashes, as well as the hash history. After that the password hash of each user will be compared to the hashes from the dictionary file.

Historical passwords of these accounts have been found in the dictionary:

administrator Pa$$w0rd

pvoeten September2016

bmccarthy August2016

These groups of accounts have the same passwords:

Group 1:

dmitchellt

bmccarthy

jseale

locadmin

Group 2:

gmiller

pvoeten

These computer accounts have default passwords:

Kerberos AES keys are missing from these accounts:

Kerberos pre-authentication is not required for these accounts:

Only DES encryption is allowed to be used with these accounts:

These administrative accounts are allowed to be delegated to a service:

Administrator

jseale

krbtgt

pvoeten

Passwords of these accounts will never expire:

jsmith

kabrams

These accounts are not required to have a password:

usertest1

usertest2

As you can see, AD users whose passwords coincide with those from the dictionary have been successfully found (user password history has been searched as well). Users having the same passwords have also been detected.

So, using this scenario you can easily analyze the quality of AD user passwords, their resistance against brute force, estimate the current policy of password complexity and make the necessary conclusions. Active Directory administrators can (and should) perform this audit regularly.